Options Dialog

Privilege Manager Dialog

Introduction

A utility application that lists out all the processes that are running in a system along with dll's loaded by them and also displays path of dll's loaded, their load addresses, dll base, image size and per process information.

Features of this tool

Display's all loaded dll's of a process

Symbols in each dll, you click on any of them

Index

Name

Address

Size

Version of each dll

Description of dll

Company name

View each dll with dependency walker if dependency viewing is enabled

Full module path, i.e. from where is it loaded?

Load address

Entry point

Image size

Load order

Display's all drivers loaded in the system if you click on main kernel process

Process id's

Process owner

Process command line

Process auto startup information

Type of application, i.e. whether application is a console, windows or ms-dos app.

Extracts full path of device driver. This didn't work well for me though. Most of the path returned was of the form \Windows\System32\Some.sys etc or \??\C:\..\Some.sys. So I had to use SearchPath API for finding out where exactly these device drivers are located, of course I modified the PATH variable to force this API to look into Drivers folder too.

You can directly use FILETIME, but should be careful, except for start time and exit time, others won't work as expected (read the docs). You need to do some addtional work on Kernel time and user time.

Best way is to either call FileTimeToSystemTime or put it into a COleDateTime. DavidCrow has written a nice article on this topic. I recommend you read it.

SearchPath

Read the docs carefully for this function. It's a waste of time to describe the working of this API here, since it's well documented.

Search

Process viewer supports searching of loaded modules. You can search for a particular process or a dll. Search does not support wildcard searching, just does an "StrStrI" search. So if you search for "shell", hits will be "shell32.dll" "someshell.dll" "myShelldll.dll etc.

Press Ctrl + F to search.

Dependency viewing

Double click on any module or process to view it's dependency. You should have dependency walker installed on your system. This will happen only if dependency viewing is enabled. One of the toolbar buttons(fourth one) is for this purpose.

Full path

To view full path of a loaded process just enable full path by clicking on green tick button(third one) on toolbar.

Refresh

To refresh either click first button on toolbar or press F5.

Swap view

To switch from vertical view to horizontal view or vice versa press F6 or second button on toolbar.

Kill Process

Select a particular process to kill. Press F8 or click on the kill button. When a process is killed it's not removed from the process listing instead the process name is set to bold. Press F5/Refresh for removing killed process from tree. Mainly done for retaining snapshot for that process. Helps if there is some trojan running and you want to see a detailed information for that trojan without having the trojan running.

NOTE: Do not kill the kernel process, I tried and the whole system came down.

Options

Press F7 for displaying options dialog. You can set various options for process viewing. Options will include much more.

CSV Module listing and symbol listing

To save list of modules for a process press Ctrl + A to select all modules and then Ctrl + C. Things to remember...

If cursor is on an item then that subitem(s) will be copied to clipboard. So to copy more than one sub item, first select required sub items then put your cursor on that sub item column to copy to clipboard.

To copy entire contents take cursor out of list view.

Open notepad and paste.

Save as anyfilename.csv.

Open with a CSV viewer like Excel.

The same applies to symbol listing.

View aspect saving

Saves your settings to an ini file. For eg: column order, divider pane size, main window size. This enables you to change order of list view to your liking. Even sizes of columns are saved.

Utils

There is a FileVersionInfo class and DividerWnd class which can reused. A WindowCollection class for enumerating all open windows.

FileVersionInfo extracts version information from a module. DividerWnd is a simple lightweight splitter.

Acknowledgements

The bitmap that you see in this application's treeview and listview, has been taken from Dominik'sKeepass app.

Hey Ralph thanks for those comments. I have implemented most of them, but a rewrite is pending (Reusability). Thanks once again.

Share

About the Author

I am a computer programmer who started his career as a Java programmer in 2000. Wrote a game and several applications like editors, DB apps etc in Java. My fascination for programming went on a high in the following years. I did a post graduate diploma of 2 years because of which I got introduced to a plethora of Languages. My favorite at that time was VB because it was way too easy to program, intelli-sense was too cool.

I joined an NGO in 2002 as part time computer programmer. Primary responsibility was to develop their website and to write apps for them in VB. During this process I got introduced to DHTML, CSS, HTML, JavaScript, wow had hell of a time. Learned and learned and learned during this time. I got into Visual C++ because of my post graduation in computer applications. I was forced into this powerful language but how lucky I am. Initially I was scared of CreateFont API but now its a piece of cake.

As of now I'm working as Visual C++ engineer with Microsoft. My passion for this language never ends. Its the raw power of the language, the kind of performance and flexibility it provides, that keeps me motivated to continue working in this language. Started working in VC6 and all through till the latest version of Visual C++.

I'm part of the Microsoft Developer Support - Programming Languages Team. Enjoying every day.

Comments and Discussions

Some of us have no intention , desire or $$ to update to the latest MS "products".Sadly, usefull applications like this one will not run on Win2000 which does not support anything .NET.It may be obvious to all younger programmers, but please make note in the future on what platform you have tested it.( Maybe you have said if I did not see it my appology.)Thanks anyway for very nice tool. I'll google it for my ancient OS. Wish me luck.Vaclav